WordPress 2.8.6 Security Release – Considerations!
Update: Upgrade your wordpress blog NOW!
The vulnerability is far serious than first mentioned from the extract from WordPress.org bellow and an immediate upgrade is now advised. The security breach hole can allow for a script to add files to the site’s root directory which can lead to major disruption of your blog. Files such as index.html can be added to your site root via this security hole, this can include warez, viruses and porn type files. Thanks to the prompt action of those who spotted the breach and to wordpress for prompt release of the latest secure version we can now eliminate the problem by upgrading immediately.
Many of you will have realised that a new version of WordPress is now available and as with all interim releases, this is a security patch release.
But before you upgrade here are a few things to consider – take into account! (I know its a change of tone on my part, as I always advise on immediate upgrade).
This is why WordPress V2.8.6 has been released:
2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.
The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.
That snippet is from WordPress.org and outlines the reason behind the security release – so if the above apply to you then by all means go ahed and upgrade asap.
Here are a few factors to consider before upgrading.
A number of plugins have returned errors after I upgraded to the latest version – this is by no means suggest a problem with WordPress itself.
This in turn caused a few problems for me.
a) I could not log out in the admin dashboard; error returned was “You are attempting to log out of ‘SiteName’ Please try again!” (My understanding is that this is an issue with the log out hook in the current theme I’m using – under investigation at the moment).
- Workaround – Should you find yourself in this predicament: Place the cursor in your address bar and hit enter, on refresh you will get a message asking if you are sure you want to log out with a log out link – click on the link and you should be able to log out. Seems to work fine after that!
b) On visiting the main site the sidebar login widget showed that I was not logged in even though I could still access the admin dashboard with limitations on certain elements. I narrowed this down to the sidebar login plugin – now deactivated until the issue is resolved hopefully by a new plugin update.
c) While writing post I was getting a MySQl database error – again this was narrowed down to a plugin, this time it was the “Thank you counter button” – deactivating the plugin resolved the problem and so awaiting an updated version.
There may be more issues cropping up as time goes by, I will keep this post updated should I come across any more issues and remedies if available. If you are having problems after upgrading to the latest version of WordPress please leave a comment and I’ll investigate it further.
“logged in users who have posting privileges”
What if the user dont have posting privileges? Cause I dont even have comments activated on my site, and I`m the only one with posting privileges.
Thank you for sharing such a useful information with us. It is also good to immediately upgrade wordpress.
.-= Read Bilal Ahmad´s last blog post>> ..How to Add StatCounter in blogger and wordpress =-.
@Julenissen@forbruksl̴n РThe initial advice was that the security hole could be exploited by registered and logged in users with posting privileges.
But now the concesus amongs experts is that this can also be exploited by scripts which can impersonate a registered user and inject itself into the root of your hosting. It is therefore highly recommended to upgrade to the latest version asap.
You may have some issues with some of the plugins (very few if I may add) and some themes may be – even then that would be way less hustle compare to what would be if somehow your blog is exploited.
@Julenissen@forbruksl̴n РThe initial advice was that the security hole could be exploited by registered and logged in users with posting privileges.
But now the concesus amongs experts is that this can also be exploited by scripts which can impersonate a registered user and inject itself into the root of your hosting. It is therefore highly recommended to upgrade to the latest version asap.
You may have some issues with some of the plugins (very few if I may add) and some themes may be – even then that would be way less hustle compare to what would be if somehow your blog is exploited.
.-= Read Zulfikar´s last blog post>> ..WordPress 2.8.6 Security Release – Considerations! =-.
@Bilal Ahmad – You are welcome Bilal, glad to be of service to the community
I love wordpress and have used it on many blogs, but one thing is for sure. You have to stay on top of these wordpress updates or you can be hacked quickly and badly. It has happened to me twice. Thanks for making us aware of this update..
Great post. Appreciate this great service.
.-= Read Jack@Free International VOIP Calls Worldwide´s last blog post>> ..How to Receive Free Calls From Pakistan with TPad VOIP =-.
@Jimbo @ lift tables skirt – No problem
– Agreed on keeping on top and upto date with upgrades. As with any modern technology, there’s always crooks who want to spoil the fun and there’s always those dedicated to combat them, so once again hats off to the guys at http://www.wordpress.org
@Jack@Free International VOIP Calls Worldwide – You are welcome Jack, glad to be of some service
i just love my wordpress blog and i have upgraded it already and i think 2.9 going to appear in future.
@saurabh@uk seo expert – Good going Saurab
Always keep up to date and out of trouble.
2.9 is under beta testing for bug hunting at the moment and is due for release early December I hear – look forward to that.
Thanks a lot for sharing first of all, i am UK stuff member i recently come to your blog its excellent keep it up.
Best regards!
Thanks for this important informations. I already knew that
To be honest, I find all of these patches and updates to be a bit too much. I wish that WordPress would figure out a way to automatically update without me having to manually install the software on my server constantly.
@Tim@Naperville Pest Control – Now that would be neat. But the thing is that not all blogs, themes, settings are the same so if there was an automatic upgrade and site breaks, wordpress would have to take the responsibility of fixing it.
An auto upgrade where we do nothing would mean rewriting the code to facilitate such automation. I don’t think the guys at wordpress have the capacity to go that rout yet. They are already doing an awesome job with the platform and that too for free, it wouldn’t be fare to upload all work onto them.
Just like a car, maintenance and upkeep is upto the owner, as bloggers we should take the responsibility of our sites and the software we use.
Maybe a third party development team could be the answer – what do you think?
This is really a great thing to know about the WordPress 2.8.6 Security Release. Word press is used by most of the people so that it was very necessary thing. I hope it will get its desired success anyways keep it up and keep continue.
REALLY WORDPRESS GREAT IT IS AN OPEN SOURCE FOR BLOG PUBLICATION AND CONTENT MANAGEMENT I GOT GOOD INFORMATION ABOUT ITS REALIZES THANKS FOR SHARING.I WILL USE IT AND TELL YOU THE RESULTS.THANKS.
@The Rock, no problem dude. WordPress is forever evolving and shall continue to grow to great heights am sure
Good thing that I am already using the latest of WordPress. This is really a serious problem and thanks to those who have discovered the breach. I hope there would be a way to get in those crooks who are trying to get in us. This can surely help on the problems that we, internet users, are facing.